Huge cyber bank theft nets $45 million in 27 countries

Images taken from the phone of a suspect, who was one of the eight individuals charged with using data obtained by hacking into two credit card processors in a cybercrime scheme, are presented at a news conference in New York, May 9, 2013. (Reuters)

Casher crews in other countries were busy doing the same, pulling some $40 million from Bank of Muscat to add to the $5 million they stole from RAKBANK in December, according to the indictment. In total, cashers made some 40,500 withdrawals in 27 countries during the two coordinated incidents.

Prosecutors said the method of attack was known as "Unlimited Operations" in the cyber underworld.

Representatives for the two banks could not be reached for comment outside of regular business hours.

In a statement, Mastercard said it had cooperated with law enforcement in the investigation and stressed that its systems were not involved or compromised in the attacks.

In late February, Bank Muscat disclosed that it would take an impairment charge of up to 15 million rials because it had been defrauded overseas by 12 prepaid debit cards used for travel. That charge was equal to more than half of the 25 million rials profit it posted in its first quarter ended March 31.

HIGHLY SKILLED HACKERS

Cyber experts said they believe the operation likely required the work of several hundred people, at least several of whom were highly skilled hackers capable of devising ways to penetrate well-protected financial systems.

"Hackers only need to find one vulnerability to cause millions of dollars of damage," said Mark Rasch, a former federal cyber crimes prosecutor, based in Bethesda, Maryland.

The group may have targeted Middle Eastern banks because they tend to allow customers to put much larger sums on cards and do not monitor them as closely as banks in other regions, said Shane Shook, global vice president of consulting for the security firm Cylance Inc.

"It's a target-rich environment in terms of soft electronic security," said Shook, an Arabic speaker who has spent more than a decade investigating cyber crimes.

The case is similar to one in 2009 that targeted the prepaid debit-card unit of Royal Bank of Scotland, which lost more than $9 million in less than 12 hours, said Jason Weinstein, a former federal prosecutor who supervised the Justice Department's handling of that case.

That case was considered a watershed moment in cyber crime prosecutions at the time. "This dwarfs that case," he said.

It is not clear if banks can seek to recover losses from card processors, legal experts said. Contracts usually have specific language governing the security protocols that must be in place, said Frederick Rivera, an attorney with Perkins Coie who specializes in financial services litigation.